What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Secure/Alternate DNS Server Config Questions on WAN tab (AX86U Pro)

SR-71

SR-71

Regular Contributor
Hi everyone, I've configured the secure DNS settings per the attached screenshot, and I'm confused by the two DNS server IP sections in the WAN tab.

Specifically, I'm confused about when the top "DNS Server" section applies (takes precedence) over the "Preset servers" list at the bottom. Can someone kindly explain this?

Trying to "logic" my way through it, it occurs to me to ask whether the top DNS server pair would be used when there's no DNS security used by the end client, but bottom list used when it is? If not, then why have both sections?

The end goal is enhanced security and privacy, while using "reasonably" fast DNS servers:
  • I want to have all the DNS security including DoT enabled, using Quad9's servers as primary.
  • I've read they supposedly block more known malware sites than Cloudflare from what I've found online.
  • Definitely don't want to use Google's or ISP's DNS servers for privacy, as they are notorious for selling data.
Will this config satisfy the goal? Any suggested changes, and if so, why?

Not knowing which is the best order for the bottom table, I first selected Quad9's IP4 servers, then their IP6 servers, then the same order for Cloudflare's servers. If overkill, very easy to shorten the list if it makes sense. :)

Other questions:
  • Am I correct in assuming that regarding the bottom list, it will use the first IP address listed, then if one set of DNS servers are down or inaccessible, it will go to the next in the list? (Realize it's unlikely given how robust these DNS networks are, but "stuff" happens.)
  • Is there any need to specify the IP6 servers if IP4 are already included, or vice versa? (ISP is Xfinity)
 

Attachments

  • DNS Server Screenshot 10-12-25.jpg
    DNS Server Screenshot 10-12-25.jpg
    84.2 KB · Views: 43
Last edited:
Cloudflare 1.1.1.1 doesn’t block anything. You can manually enter the Cloudflare Security IPs:
Code: 
1.1.1.2
1.0.0.2
2606:4700:4700::1112
2606:4700:4700::1002
Use security.cloudflare-dns.com as the TLS Hostname.
 
Your IPV4 DNS Server settings (in what you call the upper block) are fine. The reason there are two are for backup.

Your DoT settings need to be changed. If you plan to use Quad9 just use their servers (also called resolvers).
But, do them in this order:
9.9.9.9
2620:fe::fe
149.112.112.112
2620:fe::9

The program the router uses to do DoT is called Stubby. Stubby has a feature called Round Robbin that will cycle through the DoT servers chosen to help reduce the load and improve response. Using these settings the requests will go to the first server over IPV4 then IPV6 then switch to the second server over IPV4 then IPV6. If you do not need to use IPV6 on the router I recommend you not enable it and just use IPV4.

Do not use servers from another provider. Keep them all the same. There is a chance you could get unpredictable results if you do.
Also disable DNSSEC. With DoT you really do not gain anything by adding DNSSEC.

FWIW: I use Cloudflare Security as I have had periodic connection failures with Quad9. Your results may be better than mine.
 
Justinh said:
To be sure, the router will use the top DNS resolvers for all clients and DNS calls if the bottom (DoT) resolvers are unset, correct?
Click to expand...
With DoT enabled the "top" DNS servers are used at boot time. Once up and running the DoT servers are used.
 
dave14305 said:
Cloudflare 1.1.1.1 doesn’t block anything. You can manually enter the Cloudflare Security IPs:
Code: 
1.1.1.2
1.0.0.2
2606:4700:4700::1112
2606:4700:4700::1002
Use security.cloudflare-dns.com as the TLS Hostname.
Click to expand...
Thanks, that's what I was looking for. I prefer Cloudflare's performance but went with Quad9 since I didn't know CF had additional malware blocking IPs.

From a quick search, it appears that Quad9 supposedly still has more comprehensive malware blocking than CF. That said, with Quad9, sometimes I've seen some weirdness in accessing a few sites. Think I'll give CF a try -- always liked their fast performance.
 
bbunge said:
Your IPV4 DNS Server settings (in what you call the upper block) are fine. The reason there are two are for backup.

Your DoT settings need to be changed. If you plan to use Quad9 just use their servers (also called resolvers).
But, do them in this order:
9.9.9.9
2620:fe::fe
149.112.112.112
2620:fe::9

The program the router uses to do DoT is called Stubby. Stubby has a feature called Round Robbin that will cycle through the DoT servers chosen to help reduce the load and improve response. Using these settings the requests will go to the first server over IPV4 then IPV6 then switch to the second server over IPV4 then IPV6. If you do not need to use IPV6 on the router I recommend you not enable it and just use IPV4.

Do not use servers from another provider. Keep them all the same. There is a chance you could get unpredictable results if you do.
Also disable DNSSEC. With DoT you really do not gain anything by adding DNSSEC.

FWIW: I use Cloudflare Security as I have had periodic connection failures with Quad9. Your results may be better than mine.
Click to expand...
Thanks, I really appreciated both the ordering and the fuller explanation!

Quick question -- will leaving DNSSEC on with DoT cause any issues?
 
You must log in or register to reply here.

Similar threads

S
Best configuration for Asus Router + Raspberry Pi + ctrld (Control D) + AiProtection Pro?
Replies
5
Views
1K
New2This
New2This
Z
Nord VPN and DNS Configuration options
Replies
2
Views
1K
zillah
Z
Z
Dnsleaktest puzzle
2 3
Replies
51
Views
5K
Tech9
Tech9
I
VPNMON VPNMON-R3 Custom WireGuard Server List Generation Tutorials and Examples
Replies
13
Views
2K
Viktor Jaep
Viktor Jaep
RMerlin
Release Asuswrt-Merlin 3004.388.10 is now available
6 7 8
Replies
153
Views
12K
ppfoong
P
Similar threads
Thread starter Title Forum Replies Date
J RT-AX5400 wifi on secure network sometimes fails, but guest works ASUS AX Routers & Adapters (Wi-Fi 6/6e) 1
J Occasional inability for a client to access anything on secure wifi (RT-AX5400) ASUS AX Routers & Adapters (Wi-Fi 6/6e) 5
T RT-AX82U DNS OVER TLS ASUS AX Routers & Adapters (Wi-Fi 6/6e) 24
ibex Using VPN client = make AdGuard DNS or PiHole useless ? ASUS AX Routers & Adapters (Wi-Fi 6/6e) 0
T Asus XT8 DNS madness ASUS AX Routers & Adapters (Wi-Fi 6/6e) 50
S AX88u - DNS not working? ASUS AX Routers & Adapters (Wi-Fi 6/6e) 4
oleksandr.belei Router stops resolving hostnames with local DNS servers ASUS AX Routers & Adapters (Wi-Fi 6/6e) 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 786 (members: 9, guests: 777)
Back
Top